While this middleware supports the use of the * wildcard origin in the
specification, this feature is not recommended for security reasons. It
is provided to simplify basic use of CORS, practically meaning “I don’t
care how this is used.” In an intranet setting, this could lead to leakage
of data beyond the intranet and therefore should be avoided.

Perform two checks. First, if an OPTIONS request was issued, let the
application handle it, and (if necessary) decorate the response with
preflight headers. In this case, if a 404 is thrown by the underlying
application (i.e. if the underlying application does not handle
OPTIONS requests, the response code is overridden.

In the case of all other requests, regular request headers are applied.

This method permits a project to override the default CORS option values.
For example, it may wish to offer a set of sane default headers which
allow it to function with only minimal additional configuration.

Parameters:

allow_credentials (bool) – Whether to permit credentials.

expose_headers (List of Strings) – A list of headers to expose.

max_age (Int) – Maximum cache duration in seconds.

allow_methods (List of Strings) – List of HTTP methods to permit.

allow_headers (List of Strings) – List of HTTP headers to permit from the client.